[CentOS] Apache/Active Directory authentication
John Hodrien
J.H.Hodrien at leeds.ac.uk
Mon Mar 14 10:11:16 UTC 2011
On Fri, 11 Mar 2011, Dvorkin, Asya wrote:
> [root at myserver conf]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 2 host/myserver.server.com at CORE.HOST.EDU
> 2 host/rmyserver.server.com at CORE.HOST.EDU
> 2 host/myserver.server.com at CORE.HOST.EDU
> 2 host/myserver at CORE.HOST.EDU
> 2 host/myserver at CORE.HOST.EDU
> 2 host/myserver at CORE.HOST.EDU
> 2 MYSERVER$@CORE.HOST.EDU
> 2 MYSERVER$@CORE.HOST.EDU
> 2 MYSERVER$@CORE.HOST.EDU
> 2 http/myserver.server.com at CORE.HOST.EDU
> 2 http/myserver.server.com at CORE.HOST.EDU
> 2 http/myserver.server.com at CORE.HOSTEDU
> 2 http/myserver at CORE.HOST.EDU
> 2 http/myserver at CORE.HOST.EDU
> 2 http/myserver at CORE.HOST.EDU
So how did you get the point of having this keytab?
> My problem is that I am getting an error message in apache logs:
>
> gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
>
> I looked in AD configuration and see that my server does not have appropriate ServicePrincipalName for HTTP (only host).
Then something's wrong there.
net ads status
This *must* agree with your keytab. If it doesn't, let's start again.
net ads keytab flush
net ads keytab create
net ads keytab ADD HTTP
net ads status
klist -k
Make sure you get to a stage where what AD has and what you have agree. Once
you've got to that stage, use ktutil to read the system keytab
(/etc/krb5.keytab), and delete out the entries you don't want, leaving just
the HTTP ones. Write that out to /etc/httpd/conf/krb5.keytab.
Check it's correct:
klist -k /etc/httpd/conf/httpd.keytab
Make sure you've told apache where to find it:
Krb5KeyTab /etc/httpd/conf/httpd.keytab
The example that comes with the RPM in /etc/httpd/conf.d/auth_kerb.conf is a
good starting point.
> my keytab file:
> -rw------- 1 apache apache 957 Mar 11 14:31 /etc/httpd/conf/krb5.keytab
>
> I have NO right access to AD server and cannot do much about creating proper keytab file.
>
> Anything else I can do? Am I missing something?
Have a go with that, and see where you get to.
jh
More information about the CentOS
mailing list